Using HR Data to Prevent Unauthorized IT Access

How does it work
One topic that keeps recurring among customers during Identity Management projects with tenfold (especially companies with more than 500 IT users) is the wish to be able to transfer user data automatically from HR databases (SAP HCM etc.) into tenfold – i.e. not having to enter persons manually into the system, but for them to be transferred automatically via an interface, as soon as they have been entered, modified or deactivated in the HR system. The fact that it was previously only possible to carry out this process using scripting (EXEC Job) led to two disadvantages: the import-scripts were highly individual in terms of design and therefore not Best Practice compliant. Secondly, changing the configuration was only possible by customizing the script, which discouraged some customers from conducting the changes themselves..

tenfold‘s Import Plugin
tenfold presents a new solution for this issue in form of the Import Plugin . The plugin makes the implementation of an HR interface for identity management very easy and straight-forward – provided that the HR system is able to export the relevant data regularly (e.g. once a day) to a text file, which the import plugin can then import. The regular provision of data usually lies within the responsibility of the consultant or manufacturer of the HR solution. Where the commonly used solutions are concerned (SAP HR, LOGA by P&I, DATEV), implementation is usually not a problem for tenfold. For other systems, where there is no such provision, tenfold has announced that the plugin will be extended to allow access via interfaces like SQL and BAPI (and others) as well.

Plugin Features
The plugin can then recognize new employees from the import source and a request to create a new person is automatically made in tenfold. The plugin also recognizes master data changes automatically and generates a change request. Employees who leave the company are either labelled or have already received a leaving date. This allows the plugin to create a request for deletion at the appropriate time.
Requests created by the plugin are handled exactly in the same way as if they had been made manually. This means that, if a person is entered manually in tenfold, the subsequent process is identical to the process triggered by the plugin. The correct department profiles are thus automatically assigned, and the other plugins also behave according to their particular configuration.
If desired, you can insert an approval workflow before the request. This option is particularly useful during the go-live phase, as it allows you to monitor whether the HR system data is delivered correctly over a certain period of time and whether the requests generated from it contain the required data in tenfold.

General Information On Plugins
Since version 2017 R3, tenfold has made some significant conceptual system-changes. The introduction of plugins has made the previous configuration, which was very scripting-intensive in some areas, much more user-friendly. The plugins released thus far are easy to install and to configure. At the same time, an attempt was made to preserve the ability to intervene at specified points, where the standard options are not sufficient, by means of scripting.

Permission management simplified

Request trial
By |2019-01-07T10:46:51+00:0007 / 01 / 2019|BLOG, BLOG|

About the Author:

Helmut Semmelmayer
Helmut Semmelmayer has been Senior Manager Channel Sales at the software company tenfold since 2012. He is in charge of partner sales and product marketing and regularly blogs about issues and topics related to identity and access management.